Recently one of our client who has an SBS 2003 (also acts as a Domain Controller), faced an issue in logging to the server using the Administrator account. The following error was received “The local policy of this system does not permit you to logon interactively“.
This issue was resolved by removing the Administrator account from the Remote Operators group and from the Domain Power Users group.
Note that the Domain Power Users group will always be a member of the Remote Operators group, which should not be changed.
By default, the built-in Administrator in Windows SBS is a member of following groups:
- Domain Admins
- Domain Users
- Enterprise Admins
- Group Policy Creator Owners
- Mobile Users
- Schema Admins
You might also notice the following error in event viewer:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
User: NT AUTHORITY\SYSTEM
Reason: The user has not been granted the requested logon type at this machine
User Name: administrator
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computername
Caller User Name: computername$
Caller Domain: EXAMPLE
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 5828
Transited Services: –
Source Network Address: 127.0.0.1
Source Port: 0
Once, the Administrator user has been removed from the group log in to server and confirm.
Reference : http://support.microsoft.com/kb/841188